Description
The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' shortcode attribute in the [pc-login-form] shortcode in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on the 'align' attribute. Specifically, the attribute value flows from the shortcode through pc_login_form() to pc_static::form_align(), where it is directly concatenated into an HTML class attribute without esc_attr() or any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via authenticated user input
Action: Immediate Patch
AI Analysis

Impact

The PrivateContent Free plugin for WordPress enables authenticated users with Contributor-level access or higher to embed malicious JavaScript within the ‘align’ attribute of the [pc-login-form] shortcode. Because the plugin does not sanitize or escape the attribute, the injected script is stored and later rendered as part of the HTML class attribute, allowing cross‑site scripting that can hijack sessions, deface content, or exfiltrate data. This flaw is a classic stored XSS reflected in the content served to unsuspecting visitors.

Affected Systems

All installations of the PrivateContent Free plugin with a version of 1.2.0 or earlier are vulnerable. The flaw targets WordPress sites that host the plugin and include the vulnerable shortcode.

Risk and Exploitability

Security analysis assigns a CVSS score of 6.4, reflecting moderate severity. The lack of an EPSS score suggests no publicly available exploit data, and the vulnerability is not listed in CISA’s KEV catalog, indicating it has not yet been broadly exploited. However, attackers with Contributor or higher permissions can craft a malicious value for the ‘align’ attribute to trigger stored XSS, which could lead to privilege escalation or defacement on sites lacking proper input guarding.

Generated by OpenCVE AI on April 8, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PrivateContent Free plugin to the latest version that contains the fix.
  • If an update is not available, remove or disable the plugin from sites where it is not essential.
  • If the plugin is required, ensure that users with Contributor access are replaced with lower‑privilege roles or that the attribute is omitted from the shortcode usage.
  • Verify that the vulnerability has been mitigated by attempting to inject a harmless payload in the align attribute and confirming it does not execute.

Generated by OpenCVE AI on April 8, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Lcweb-projects
Lcweb-projects privatecontent Free
Wordpress
Wordpress wordpress
Vendors & Products Lcweb-projects
Lcweb-projects privatecontent Free
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' shortcode attribute in the [pc-login-form] shortcode in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on the 'align' attribute. Specifically, the attribute value flows from the shortcode through pc_login_form() to pc_static::form_align(), where it is directly concatenated into an HTML class attribute without esc_attr() or any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title PrivateContent Free <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Lcweb-projects Privatecontent Free
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:14.677Z

Reserved: 2026-03-11T20:53:14.633Z

Link: CVE-2026-4025

cve-icon Vulnrichment

Updated: 2026-04-08T13:21:19.899Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T10:16:00.813

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-4025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:54Z

Weaknesses